Collision Resistant Hashing for Paranoids: Dealing with Multiple - PowerPoint PPT Presentation

Collision Resistant Hashing for Paranoids: Dealing with Multiple Collisions Eylon Yogev Weizmann Institute of Science & Moni Naor Ilan Komargodski Eurocrypt 2018, Tel Aviv

Ask less of a hash function and it is less likely to disappoint! Bellare-Rogaway ‘ 97 What is the “ right ” notion of hardness of finding collisions in a cryptographic hash function? Depends on the application! Storing passwords • Universal One-Way Hash Functions (UOWHF) Delegation of computation • Multiple Collision Resistant Hashing (MCRH) • Collision Resistant Hashing (CRH) Signatures POW/ Blockchains

Hash Functions 𝐼 hash function family Each ℎ ∈ 𝐼 is 𝒊 CRH 1. Easy to compute 𝒈 𝒚, 𝒛 2. Compressing ℎ: {0,1} 2𝑜 → 0,1 𝑜 Easy to sample ℎ ← 𝐼 Adv wins if 𝒊 𝒚 = 𝒊(𝒛) 𝒚, 𝒊 UOWHF 𝒈 𝒛 Adv wins if 𝒊 𝒚 = 𝒊(𝒛) 3

Collision Resistant Hash Functions 𝒊 CRH 𝒈 𝒚, 𝒛 Adv wins if 𝒊 𝒚 = 𝒊(𝒛) • Assumptions yielding CRH: Factoring, DL, LWE … • Popular CRH: SHA-2, SHA-3 … • Black-box separation from one-way permutations [Simon98] • Composes nicely: small compression yields any polynomial compression ℎ: 0,1 𝑜 𝑑 → 0,1 𝑜 4

Succinct Commitment: Local Opening Committing to a long string by a short one Merkle-tree construction: • Key application is succinct and local arguments [Kilian92,BarakGoldreich08] : • Input 𝑦 is a PCP proof for a statement • Verifier opens a small number of 𝑦 1 𝑦 2 𝑦 3 𝑦 4 𝑦 5 𝑦 6 𝑦 7 𝑦 8 positions • Opening is given by the path to the root 𝑧 5

Succinct Commitment: Local Opening Committing to a long string by a short one Merkle-tree construction: • Key application is succinct and local arguments [Kilian92,BarakGoldreich08] : • Input 𝑦 is a PCP proof for a statement • Verifier opens a small number of 𝑦 1 𝑦 2 𝑦 3 𝑦 4 𝑦 5 𝑦 6 𝑦 7 𝑦 8 positions • Opening is given by the path to the root 𝑧 6

Succinct Commitment: Local Opening Committing to a long string by a short one Merkle-tree construction: • Key application is succinct and local arguments [Kilian92,BarakGoldreich08] : • Input 𝑦 is a PCP proof for a statement • Verifier opens a small number of 𝑦 1 𝑦 2 𝑦 3 𝑦 4 𝑦 5 𝑦 6 𝑦 7 𝑦 8 positions • Opening is given by the path to the root • More applications: • Constant-round zero-knowledge arguments • Constant-round statistical zero-knowledge • Memory delegation • Statistically hiding commitments • … 𝑧 7

𝑙 -Multi Collision Resistant Hashing 𝒊 MCRH 𝒈 𝒚 𝟐 , … , 𝒚 𝒍 Adv wins if 𝒊 𝒚 𝟐 = ⋯ = 𝒊(𝒚 𝒍 ) • MCRH but not CRH: let ℎ be a CRH, 𝑦 = 𝑦 1 … 𝑦 𝑜 and ℎ’(𝑦) = ℎ(𝑦 2 … 𝑦 𝑜 ) Then ℎ’ is a 3-MCRH but not a CRH! • MCRH do not compose nicely [Joux04]! 8

The Bipartite Ramsey Problems [KNY17] The bipartite Ramsey Problem: Given a bipartite 2 𝑜 × 2 𝑜 graph, given implicitly by a 𝑞𝑝𝑚𝑧(𝑜) circuit • 𝑜 𝑜 find a bipartite clique or IS of size 4 × 4 . • This problem is in TFNP, but is it hard? Theorem: • 𝑜 -MCRH exists ⇒ bipartite Ramsey is hard. 𝑜 • bipartite Ramsey is hard ⇒ 4 - MCRH exists. 9

The Four Worlds of Cryptographic Hashing Nocrypt : Minihash: Unihash : Hashomania: ∄ one-way ∃ Multi-CRH UOWHF ∃ CRH functions exist but but (∄ UOWHF) ∄ CRH ∄ Multi-CRH Contains major cryptographic primitives! Worlds have black-box separations

Our Results Theorem 1: k-MCRH ⇒ constant-round short commitment with local-opening (and statistically hiding). • Works for any k. • To commit to 𝑜 𝑑 bits the output is ෨ 𝑃 ( 𝑜) bits with 𝑃(𝑑) rounds. w. local opening in full ver Theorem 2: k-MCRH ⇒ 4-round short commitment (no local-opening). • Works for any constant k (or for any k with slightly stronger assumption). • Suffices for constant-round statistical zero-knowledge arguments. Theorem 3: k-MCRH does not imply standard CRH (in a black-box manner). • Actually, we separate k-MCRH from (k+1)-MCRH. • Separate MCRH from one-way permutations [Haitner-Hoch-Reingold-Segev-15].

Find: Additional Observations ℎ 𝑦 1 = ℎ 𝑧 1 , … , ℎ 𝑦 𝑙 = ℎ 𝑧 𝑙 • Lemma 1: Multi-Pair Collision Resistance ֞ CRH. • Lemma 2: MCRH ⇒ UOWHF (efficiently) ⇒ OWF. • Lemma 3: Short commitment ⇒ UOWHF (efficiently). • Assuming the receiver is public-coin.

Theorem 1: k-MCRH ⇒ constant-round short commitment with local-opening (and statistical hiding).

Simple Example Sender Receiver ℎ Input: 𝑦 Sample ℎ ∈ 𝐼 (3-MCRH family) 𝑧 = ℎ(𝑦) 𝑧 𝑦 ′ : Commitment = 𝑧 ℎ 𝑦 ′ = 𝑧 Not committing! Solution: add pair-wise hash function – in new round 14

Simple Example Sender Receiver ℎ Input: 𝑦 Sample ℎ ∈ 𝐼 (3-MCRH family) 𝑧 = ℎ(𝑦) 𝑧 Sample 𝑕 ∈ 𝐻 (pairwise family) 𝑕 𝑣 = 𝑕(𝑦) 𝑣 𝑦 ′ : Commitment = 𝑧, 𝑣 ℎ 𝑦 ′ = 𝑧 𝑕 𝑦 ′ ≠ 𝑣 Remark: can reduce communication Committing! by using an almost pairwise hash function 15

Simple Example - Proof Adversary Receiver ℎ Sample ℎ ∈ 𝐼 (3-MCRH family) 𝑧 Sample 𝑕 ∈ 𝐻 (pairwise family) 𝑕 𝑣 Commitment = 𝑧, 𝑣 𝑦 1 , 𝑦 2 ℎ 𝑦 1 = ℎ 𝑦 2 = 𝑧 𝑕 𝑦 1 = 𝑕 𝑦 2 = 𝑣 16

Simple Example - Proof Adversary Receiver ℎ Sample ℎ ∈ 𝐼 (3-MCRH family) 𝑧 Sample 𝑕′ ∈ 𝐻 (pairwise family) Did we find a 3-collision? 𝑕′ Pr 𝑕 ′ 𝑦 1 = 𝑕 ′ 𝑦 2 = 2 −𝑨 => 𝑣′ ℎ 𝑦 1 = ℎ 𝑦 2 = 𝑧 = ℎ 𝑦 3 = ℎ(𝑦 4 ) 𝑦 1 , 𝑦 2 , 𝑦 3 , 𝑦 4 form a 3-collision! 𝑕 𝑦 1 = 𝑕 𝑦 2 = 𝑣 𝑦 3 , 𝑦 4 𝑕′ 𝑦 3 = 𝑕′ 𝑦 4 = 𝑣′ 17

Full Construction Ingredients: will be determined later 1. 𝐼 – a k-MCRH family. 2. 𝐻 – pairwise independent hash family from 2𝑜 bits to 𝑨 bits. Protocol: 1. R ⇒ S : Samples ℎ ∈ 𝐼 and sends h. 𝑦 = 𝑦 1 𝑦 2 𝑦 3 𝑦 4 𝑦 5 𝑦 6 𝑦 7 𝑦 8 2. S ⇒ R : Compute a Merkle tree and 𝑕(𝑦 3 𝑦 4 ) send the root-hash 𝑧 . 3. R ⇒ S : Sample 𝑕 ∈ 𝐻 and send 𝑕 . 𝜌 1 𝜌 2 𝜌 3 𝜌 4 4. S ⇒ R : Send 𝑦 ′ = 𝑣 1 , … , 𝑣 𝑂 , where 𝑣 𝑗 = 𝑕 𝜌 𝑤 𝜌 𝑂 𝑤 𝑕(𝜌 1 𝜌 2 ) 𝑤∈path i 𝜌 5 𝜌 6 5. Important: 𝑦 ′ < |𝑦| 𝑕(𝜌 5 𝜌 6 ) Note: this is not a hash-tree of 𝑕 𝜌 7 𝑧 =

Full Construction Ingredients: will be determined later 1. 𝐼 – a k-MCRH family. 2. 𝐻 – pairwise independent hash family from 2𝑜 bits to 𝑨 bits. Protocol: 1. R ⇒ S : Samples ℎ ∈ 𝐼 and sends h. 𝑦 = 𝑦 1 𝑦 2 𝑦 3 𝑦 4 𝑦 5 𝑦 6 𝑦 7 𝑦 8 2. S ⇒ R : Compute a Merkle tree and 𝑕(𝑦 3 𝑦 4 ) send the root-hash 𝑧 . 3. R ⇒ S : Sample 𝑕 ∈ 𝐻 and send 𝑕 . 𝜌 1 𝜌 2 𝜌 3 𝜌 4 4. S ֞ R : Recursively interact to commit on the string 𝑦 ′ = 𝑣 1 , … , 𝑣 𝑂 , where 𝑕(𝜌 1 𝜌 2 ) 𝑣 𝑗 = 𝑕 𝜌 𝑤 𝜌 𝑂 𝑤 𝑤∈path i 𝜌 5 𝜌 6 Important: 𝑦 ′ < |𝑦| 𝑕(𝜌 5 𝜌 6 ) Note: this is not a hash-tree of 𝑕 𝜌 7 𝑧 =

Full Construction Ingredients: will be determined later 1. 𝐼 – a k-MCRH family. 2. 𝐻 – pairwise independent hash family from 2𝑜 bits to 𝑨 bits. Protocol: 1. R ⇒ S : Samples ℎ ∈ 𝐼 and sends h. 𝑦 = 𝑦 1 𝑦 2 𝑦 3 𝑦 4 𝑦 5 𝑦 6 𝑦 7 𝑦 8 2. S ⇒ R : Compute a Merkle tree and 𝑕(𝑦 3 𝑦 4 ) send the root-hash 𝑧 . 3. R ⇒ S : Sample 𝑕 ∈ 𝐻 and send 𝑕 . 𝜌 1 𝜌 2 𝜌 3 𝜌 4 4. S ֞ R : Recursively interact to commit on the string 𝑦 ′ = 𝑣 1 , … , 𝑣 𝑂 , where 𝑕(𝜌 1 𝜌 2 ) 𝑣 𝑗 = 𝑕 𝜌 𝑤 𝜌 𝑂 𝑤 𝑤∈path i 𝜌 5 𝜌 6 Important: 𝑦 ′ < |𝑦| 𝑕(𝜌 5 𝜌 6 ) Note: this is not a hash-tree of 𝑕 𝜌 7 𝑧 =

Full Construction Ingredients: 1. 𝐼 – a k-MCRH. 2. 𝐻 – pairwise independent hash family from 2𝑜 bits to 𝑨 bits. Parameters: Input size: 𝑜 𝑑 𝑦 = 𝑦 1 𝑦 2 𝑦 3 𝑦 4 𝑦 5 𝑦 6 𝑦 7 𝑦 8 Set: 𝑨 = 𝑜 1−𝜀 Size of 𝑦 ′ : 𝑜 𝑑−1 𝑨 = 𝑜 𝑑−𝜀 𝑕(𝑦 3 𝑦 4 ) 𝑑 𝜀 = 𝑃 1 𝜌 1 𝜌 2 #rounds: 𝜌 3 𝜌 4 𝑕(𝜌 1 𝜌 2 ) Remark: Use the same ℎ in all recursions 𝜌 5 𝜌 6 𝑕(𝜌 5 𝜌 6 ) 𝜌 7 𝑧 =

Proof Protocol: 1. R ⇒ S : Samples ℎ ∈ 𝐼 and sends h. 2. S ⇒ R : Compute a Merkle tree and send the root-hash 𝑧 . 3. R ⇒ S : Sample 𝑕 ∈ 𝐻 and send 𝑕 . 4. S ֞ R : Recursively interact to commit on the string 𝑦 ′ = 𝑣 1 , … , 𝑣 𝑂 , where 𝑣 𝑗 = 𝑕 𝜌 𝑤 𝜌 𝑂 𝑤 𝑤∈path i . 𝑦 = 𝑦 1 𝑦 2 𝑦 3 𝑦 4 𝑦 5 𝑦 6 𝑦 7 𝑦 8 𝑕(𝑦 3 𝑦 4 ) Proof: 1. Let A be an adversary. 𝜌 1 𝜌 2 𝜌 3 𝜌 4 2. Run A to get a pair of openings 3. Partially rewind A and re-run with 𝑕(𝜌 1 𝜌 2 ) a freshly sampled 𝑕 ∈ 𝐻 𝜌 5 𝜌 6 4. Repeat until there is a node with k distinct values 𝑕(𝜌 5 𝜌 6 ) Iterations are not not independent ⇒ 𝜌 7 𝑧 = proof uses Azuma ’ s inequality